1a9a4cf46a37070dd3ad3dee4dd09059a770003273cbbb6ff9d3df6baebfdb8a

Analysis

max time kernel
154s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c44bf4cbbd06c672dffd9b6f78171a.exe
Size

907KB
MD5

24c44bf4cbbd06c672dffd9b6f78171a
SHA1

fc826e1ec95463fd2773fc58de5c18f8e023696b
SHA256

1a9a4cf46a37070dd3ad3dee4dd09059a770003273cbbb6ff9d3df6baebfdb8a
SHA512

4e0c2de184914bab6344daf17cb78f4684d8465b60a2e92ebb2bed865753b186a6e4af43916070e0db9d671a8d6c97cca829ec0aa0ab60dfb2d43408997e843b
SSDEEP

24576:BMlNqKkGaRVkfxbxIIYsQuxARGxzEi4Lrh+R1j44rlyxOQiFYN2OTCvYsZ+cQlfc:x5HY+hXr/UIsrG0gS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1228	24c44bf4cbbd06c672dffd9b6f78171a.exe

Executes dropped EXE 1 IoCs

pid	Process
1228	24c44bf4cbbd06c672dffd9b6f78171a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3800	24c44bf4cbbd06c672dffd9b6f78171a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3800	24c44bf4cbbd06c672dffd9b6f78171a.exe
1228	24c44bf4cbbd06c672dffd9b6f78171a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 1228	3800	24c44bf4cbbd06c672dffd9b6f78171a.exe	93
PID 3800 wrote to memory of 1228	3800	24c44bf4cbbd06c672dffd9b6f78171a.exe	93
PID 3800 wrote to memory of 1228	3800	24c44bf4cbbd06c672dffd9b6f78171a.exe	93

C:\Users\Admin\AppData\Local\Temp\24c44bf4cbbd06c672dffd9b6f78171a.exe
"C:\Users\Admin\AppData\Local\Temp\24c44bf4cbbd06c672dffd9b6f78171a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\24c44bf4cbbd06c672dffd9b6f78171a.exe
  C:\Users\Admin\AppData\Local\Temp\24c44bf4cbbd06c672dffd9b6f78171a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24c44bf4cbbd06c672dffd9b6f78171a.exe

Filesize
907KB

MD5
8bab3a67886b7515f851c1e49684130d

SHA1
15bc322063177b0ebae2eab4b6e7182c6a9eae28

SHA256
d8ed113e4dd932561776fcc8327215d07de3189b478425505f136ea732a2a738

SHA512
46a540f139c8d8221ee29af0a3e64aa33f7affaf522821680ff735f5ab306f0b17903f64849cd0effff19bf32067e9494237ad8beacbf43b2670c6b240ec59b8

Download Submit
memory/1228-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1228-14-0x00000000017D0000-0x00000000018B8000-memory.dmp

Filesize
928KB

Download
memory/1228-20-0x00000000051A0000-0x000000000525B000-memory.dmp

Filesize
748KB

Download
memory/1228-21-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1228-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-32-0x000000000C840000-0x000000000C8D8000-memory.dmp

Filesize
608KB

Download
memory/3800-0-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/3800-1-0x0000000001780000-0x0000000001868000-memory.dmp

Filesize
928KB

Download
memory/3800-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3800-11-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download